Automated Credential Harvesting Campaign Exploits React2Shell Flaw in Next.js Web Apps
What Happened — An emerging threat cluster (UAT‑10608) is leveraging the publicly‑disclosed React2Shell vulnerability in web‑exposed Next.js applications. The attackers use an automated tool to harvest credentials, API secrets, and other system data from vulnerable sites.
Why It Matters for TPRM —
- Credential and secret leakage from a third‑party SaaS front‑end can cascade to downstream services and data stores.
- Automated, low‑skill attacks increase the probability of compromise across a broad vendor base.
- Unpatched Next.js deployments represent a supply‑chain risk that can affect multiple business units.
Who Is Affected — Technology SaaS providers, cloud‑hosted web platforms, e‑commerce sites, media portals, and any organization running publicly accessible Next.js applications.
Recommended Actions —
- Conduct an inventory of all Next.js‑based services and verify they are patched against the React2Shell flaw (CVE‑2024‑XXXX).
- Deploy Web Application Firewall (WAF) rules to block known exploitation patterns.
- Rotate any credentials or secrets that may have been exposed and enforce short‑lived secrets where possible.
- Implement continuous monitoring for anomalous credential usage and data exfiltration.
Technical Notes — The React2Shell flaw is a remote code execution (RCE) vulnerability in the server‑side rendering pipeline of Next.js, allowing attackers to execute arbitrary commands and read environment variables. Exploited data includes database connection strings, API keys, and user passwords. Source: Dark Reading